vrrp

i have 2 juniper m7is setup with bgp and vrrp and when i unplug one of the interfaces on the backup router, for some reason, that router becomes the master vrrp and i have no idea why. can someone help me? thanks!

Re: vrrp

You cant plug again the backup interface, if not it will become vrrp master because this link is active, but dont see any other vrrp router in that link.

If you want to be sure will never become master, will have to add other interface between R1 and R2. Create other VRRP group, and join all vrrp groups with the inherit command like in the following example but using several units or interfaces.

What vrrp-inherit-from will do is group all vrrp groups status, so R1 or R2 will be master or backup for all groups and interfaces at the same time. This way, if backup router is reachable through some other interface, will not become master while it see the master router through that interface. So master router will be always master, and backup will be always backup, unless it dont see the master router through any interface.

Re: vrrp

The vrrp inherit, is like a "follow the leader". There will be the active or main group under an active interface. If this is master, the follower vrrp group will be master regardless its priority.

But if the active group becomes backup for any reason, a tracked interface, or route, the follower will become backup.

Your configuration is right except you mix fe- and ge- interfaces, and you use different vrrp address and unit ip address for group 1.

Anyway this is not the right way to do this.

It will be good if you can use two interfaces. The objetive is to be sure master is down before backup router becomes master. If you only use one interface you will lost the vrrp hellos from master on both vrrp groups, and both will become master.

If you use a single interface, then its better to use several units and vlan tagging. If there is some problems with the fws vlan then your backup router will not become master if the active vrrp vlan is working properly.

On the other hand, for sure you will have at least two interfaces in your routers. If use vrrp on both interfaces, then will syncronize vrrp state for all vrrp groups and interfaces.

You will have to track the secondary interfaces under your active group. Think you have a "incoming" interface from network, and a "outgoing" interface to fws. You want this router to be master at the "incoming" interface only if "outgoing" interface is up. Active vrrp will be the incoming interface, and the outgoing will inherit the active status. If any of this two interfaces goes down, both will become backup.

Re: vrrp

Im sorry, i understand that you plug your vrrp interface to the Fw. So your fe-0/2/0 interface connect to the inner network, and fe-0/3/0, fe-0/3/1 to the outter network through fws. Could you post a show vrrp and show interface terse while having the problems ?.

Re: vrrp

yes fe-0/2/0 is connected to the inside and fe-0/3/0 and fe-0/3/1 are connected to the outside.

here is the relevant show interface terse, theres other interfaces that are used also:

Interface Admin Link Proto Local Remotefe-0/2/0 up up fe-0/2/0.0 up up inet 192.168.0.1/24 multiservicefe-0/3/0 up up fe-0/3/0.0 up up inet 4.x.x.x/30 multiservicege-1/3/0 up up ge-1/3/0.0 up up inet 209.x.x.x/30 multiservice

Re: vrrp

It would be good if you could post a diagram of where is the fortigate. If this is between the routers then fw is filtering the vrrp frames. There should be always connectivity throught the vrrp interfaces.

Anyway, you could use the connection between those router as the vrrp primary group. And the other interface will inherit its state. So the backup will become master only if the primary router is down. It dont mind if you dont need vrrp in that interfaces, if this is ethernet of course.